alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (WindowsNT?) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_user_agent; content:!".rview.com|0d 0a|"; http_header; content:!".mobizen.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013721; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_09_30, updated_at 2017_01_13;)

Added 2017-08-07 21:06:58 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (WindowsNT?) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_user_agent; content:!".rview.com|0d 0a|"; http_header; content:!".mobizen.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013721; rev:6;)

Added 2017-01-13 17:22:02 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (WindowsNT?) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_user_agent; content:!".rview.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013721; rev:5;)

Added 2016-12-19 21:04:00 UTC

Hello. Please consider rule modification.

Looks like we see one more FP for not very good quality but legitimate android application - Mobizen. In a nutshell this app for remote device management (for android), some photo management and may be something else

PCAP:

POST /updateserver/getNewUpdateServerUrl HTTP/1.1 Accept: text/html, /, application/json Content-Type: application/json Connection: Close Content-Length: 0 Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR Host: www.mobizen.com

HTTP/1.1 200 OK Cache-control: no-cache="set-cookie" Content-Type: application/json;charset=UTF-8 Date: Thu, 12 Jan 2017 16:01:58 GMT Server: Apache ServerName?: AUTO-xus1 Set-Cookie: JSESSIONID=.................; Path=/; HttpOnly? Set-Cookie: ..................................................................;PATH=/;MAX-AGE=60 X-Frame-Options: SAMEORIGIN Content-Length: 834 Connection: Close

{"retcode":"200","updateserverurl":"https://download.mobizen.com","versionpath":"update/2.21.0.1","apkmarketurls":[{"apkdivision":"MIRRORING","apktype":"ETC","pc_download_url":"https://play.google.com/store/apps/details?id=com.rsupport.mobizen.cn","mobile_download_url":"https://play.google.com/store/apps/details?id=com.rsupport.mobizen.cn"},{"apkdivision":"MIRRORING","apktype":"SAMSUNG4","pc_download_url":"https://play.google.com/store/apps/details?id=com.rsupport.mobizen.cn.k.sec","mobile_download_url":"https://play.google.com/store/apps/details?id=com.rsupport.mobizen.cn.k.sec"},{"apkdivision":"MIRRORING","apktype":"SAMSUNG5","pc_download_url":"https://play.google.com/store/apps/details?id=com.rsupport.mobizen.cn.k.sec","mobile_download_url":"https://play.google.com/store/apps/details?id=com.rsupport.mobizen.cn.k.sec"}]}

Regards

-- MaksymParpaley - 2017-01-13


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (WindowsNT?) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_user_agent; content:!".rview.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013721; rev:5;)

Added 2016-12-19 21:00:11 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (WindowsNT?) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_user_agent; content:!"Host|3a 20|remotepcup.rview.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013721; rev:4;)

Added 2015-07-08 15:30:10 UTC

We are seeing a lot of false positives. Statement content:!"Host|3a 20|remotepcup.rview.com|0d 0a|"; http_header should be modified. Destination host name for Remote PC application has changed. We see remotepc3.rview.com as destination host.

-- MaksymParpaley - 2016-12-19

Details:

POST /remoteview/command/agent/agent_login.aspx HTTP/1.1 Accept: text/html, / Accept-Language: en-us Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1;.NETCLR Host: remotepc3.rview.com Content-Length: 44 Connection: Keep-Alive Cache-Control: no-cache

<Data intentionally cut>

POST /agent/login_ok HTTP/1.1 Accept: text/html, / Accept-Language: en-us Content-Type: application/x-www-form-urlencoded User-Agent: <Data intentionally cut> Host: remotepc3.rview.com Content-Length: 382 Connection: Keep-Alive Cache-Control: no-cache Cookie: <Data intentionally cut>

<Data intentionally cut>

HTTP/1.1 200 OK Date: Sun, 18 Dec 2016 10:25:09 GMT Content-Type: text/xml;charset=UTF-8 ServerName?: US1 Keep-Alive: timeout=10, max=99 Connection: Keep-Alive Transfer-Encoding: chunked

<Data intentionally cut>

-- MaksymParpaley - 2016-12-19


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WindowsNT?) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_header; pcre:"/User-Agent\x3A[^\r\n]*WindowsNT/H"; classtype:trojan-activity; sid:2013721; rev:1;)

Added 2011-10-12 19:37:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WindowsNT?) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_header; pcre:"/User-Agent\x3A[^\r\n]*WindowsNT/H"; classtype:trojan-activity; sid:2013721; rev:1;)

Added 2011-09-30 17:46:00 UTC


Topic revision: r3 - 2017-01-13 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats